Skip to content

Microsoft Secure


Austria – Lessons from Some of the Least Malware Infected Countries in the World – Part 2

In my last post on this topic, I mentioned providing a series of posts focused on the threat landscape in locations that consistently have low malware infection rates in the hopes of uncovering insights that might help other regions.

I have observed that Austria has consistently had a malware infection rate below the worldwide average since we started publishing regional malware infection rates in the Microsoft Security Intelligence Report (SIR) volume 3 focused on the first half of 2007. The chart below illustrates the infection rate trend in Austria for 2009 and 2010.

Figure: Infection rates for Austria in 2009 and 2010 by quarter by CCM


The graph below provides some context on what Austria’s malware infection rate looks like versus the other 116 countries we provided malware infection data on in the latest SIR, volume 10 (SIRv10).

Figure: CCM trend for Austria over 6 quarters, compared to 116 other countries and regions and to the world as a whole


Looking at other data for Austria in 2010, we see the following:

· Phishing sites (per 1,000 hosts) in the United States was 2.8 times higher than the number of phishing sites found in Austria (per 1,000 hosts) in 2010

· Malware hosting sites (per 1,000 hosts) in the United States was 4.2 times higher than the number found in Austria in the first half of 2010 and 3 times higher in the second half of the year

Figure: Phishing, Malware Hosting, and Drive-by Download Hosting Site Trends for Austria as published in SIRv10


Looking at the specific threats found in Austria I can see that backdoors were found in higher proportions than many other locations in the world. The reason for this is that a backdoor trojan called Win32/IRCbot was the top threat in Austria during this period; IRCBot is a relatively old threat that is still in widespread use by attackers in many regions around the world. In addition, adware was one of the top categories in Austria primarily because JS/Pornpop was found on 16.2% of infected systems. Pornpop was the top threat detected in many regions around the world in the second half of 2010.

Figure: Malware and potentially unwanted software categories in Austria in 4Q10, by percentage of computers affected


Figure: The top 10 malware and potentially unwanted software families in Austria in 4Q10


Why is Austria’s malware infection rate consistently a fraction of the worldwide average? In 2009 we asked the National Computer Emergency Response Team of Austria to help answer this question, and we published the following in the Microsoft Security Intelligence Report volume 7.

Leon Aaron Kaplan, National Computer Emergency Response Team of Austria (

Austria has roughly 8.2 million inhabitants possessing 9.8 mobile phones. It is often regarded as a “testing grounds” for new mobile phone services, especially UMTS. It is industrially highly developed, achieving 15th place in the Human Development Index (2007/2008), (United Nations Development Programme. “Human Development Report 2007/2008.”, The Internet sector is well developed, with DSL and cable being the predominant form of access. It has roughly 5.5 million Internet users as of June/08 which equates to 67% of the population, according to a study by the GfK Group. However, Austria is not the birthplace of the IT industry, nor does it have its own Silicon Valley. We might expect the level of IT know-how and security awareness to be about average, and not as high as in some other IT hot spots of the world. So why does Austria have such a low CCM score?

One potential explanation could be that the “market” is too small, and malware authors prefer to target Germany (a country with 80 million inhabitants) instead of Austria. However, this argument only holds for localized attacks such as phishing. For non-localized malware. such as worms and viruses, an IP address is an IP address, no matter if it is in Austria or not.

Another factor affecting overall IT security seems to be a small and close-knit network of working relationships between technicians working at ISPs. employs many people who formerly worked at large ISPs. A takedown request for a website hosting malware is often therefore just a cell phone call away from the right technician. Therefore the window of opportunity for phishing or malware hosting is small in Austria.

Furthermore, many ISPs have strong IT security enforcement policies. For example, the largest Austrian consumer ISP will disconnect a residential customer if a problem caused by malware on the customer’s computer (such as spam) persists for a week.

While was monitoring the Win32/Conficker worm we came across a very interesting observation: those countries with low software piracy rates were less affected by Conficker. According to the Business Software Alliance[1], Austria is one of the countries with the lowest piracy rates worldwide (24 percent, 5th lowest in the world). [Users in countries with high piracy rates are less likely to use Windows Update to receive critical security updates.

We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.

In the next part of this series of blog posts, I will focus on the threat landscape in Finland.

Tim Rains
Director, Product Management
Trustworthy Computing

[1] Business Software Alliance. “Sixth Annual BSA-IDC Global Software Piracy Study.”